# Security

Security issues take precedence over bug fixes, and feature work.
Peer reviews, and security research, are also welcome to ensure nobody's
instance is ever compromised.


## Where should I report security issues?

Email directly `:TODO: at project dot org` with details, and
reproduction steps. Please allow 90-days, from when we first reply to
your report, before public disclosure. At that time you may add a copy of
your published findings in the `disclosed` directory to help update users
about new, or improved security measures.

If you wish to be acknowledge below, mention it explicitly, and include

- Your name or alias
- Report date. YYYY-MM-DD
- Bug reported. Name or one-line description.
- Main contact (optional)

(Lack of a `disclosed` folder only means nothing has been reported)

## Configuration

These are the PROJECT's default settings:

:TODO:

Depending on the user's threat model these may be tune:

:TODO:

## Checksum

Although it's possible to install gems with a trust policy, is not a
widely used feature. In practice, we'd have to allow installing gems
without a cert defeating the purpose of having a policy.

Instead, we include the checksum of the released gems, as recommended on
[rubygems](https://guides.rubygems.org/security/#include-checksum-of-released-gems-in-your-repository).
To verify the gem before installing it

```terminal
$ gem fetch <%= @scaffold.gem_name %> -v <version>
$ ruby -rdigest/sha2 -e "puts Digest::SHA512.new.hexdigest(File.read('<%= @scaffold.gem_name %>-<version>.gem'))"
```

Compare it with the hash in `checksum/<%= @scaffold.gem_name %>-<version>.gem.sha512` to
verify the integrity of the fetched gem. If the checksum matches

```terminal
$ gem install <%= @scaffold.gem_name %> -v <version>
```

If you wish to audit the gem locally before installation

```sh
$ gem unpack <%= @scaffold.gem_name %> -v <version>
```

Verify the latest release's checksum before updating as well.

## Acknowledgments

We would like to thank the following researchers:

| YYYY-MM-DD | Description | Name/alias | email/profile |
|------------|-------------|------------|---------------|
|            |             |            |               |
